The human factor is one of the most challenging components of cybersecurity, and the topic where the human factor is most evident is insider threats. Insider attacks negatively impact an organization’s reputation, customer trust, and investor confidence by a strike from perceived as trustworthy and, therefore, a weak point.
20% of instances involving data breaches are attributable to insiders, according to Verizon’s 2022 Data Breach Investigation Report (DBIR). However, insider threats rank higher than expected cyber security threats. According to a survey conducted by Statista among CISOs worldwide as of March 2022, insider threats are one of the leading cybersecurity risks, with 31% of CISOs citing insiders as one of the top cybersecurity threats.
Insider Threats 101
An insider is a person who has or knows the structure and/or authorized access to an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. So, current and former employees, contractors, and business partners are all insiders that could pose a threat.
The Cybersecurity and Infrastructure Security Agency (CISA) identifies insider threat as the risk that an insider will use their authorized access to harm the department’s resources, personnel, facilities, information, equipment, networks, or systems, whether on purpose or accidentally.
So, an insider threat is the insider’s potential to jeopardize the confidentiality, integrity, and availability of any sensitive data belonging to the organization. Insider threats may appear in different forms, including violence, espionage, sabotage, theft, and cybercrime.
Insider threats can be classified into two primary categories: unintentional (negligence) and intentional (malicious).
- Unintentional insider threat: Rather than resulting from malicious purposes, unintentional insider threats are typically the product of carelessness, ignorance, lack of cybersecurity awareness, or human error. Anyone can be an unintentional insider if they lose a device, use weak passwords, accidentally reveal sensitive information, fail to secure an endpoint or become subject to a social engineering attack.
2. Malicious insider threat: A malicious insider threat occurs when an authorized user intentionally causes damage to an organization. Malicious insiders may purposely install malware to disrupt system operations or share, sell, modify, or delete private/confidential data.
Malicious insider threats are often motivated by personal objectives such as financial gain or career advancement, revenge or desire to harm the organization, ideological reasons such as political, religious, or social benefits, and coercion such as threat or blackmail to force malicious activity. When malicious insider threats are mentioned, one of the foremost examples is Edward Snowden, who leaked classified information from the NSA’s global surveillance programs in 2013. Snowden, a former NSA contractor, had been granted a security clearance and had access to sensitive information.
Understand the Threat Landscape
All organizations, regardless of industry or size, can potentially be victims of insider threats, and insider incidents are usually part of a larger cyberattack. These threats are particularly challenging to identify and prevent because they are typically created by insiders with access to sensitive data and systems.
The first step in dealing with insider threats is to understand the threat landscape. Organizations should be aware of the different types of insider threats and understand their motivation.
Once organizations understand the threat landscape, they should identify the key indicators of insider threats on the surface and the dark web:
Unusual or suspicious activity on employee accounts: User sign-ins frequently follow everyday patterns. Any login that differs from the routine, accessing and uploading sensitive data or systems outside of regular business hours or from regions outside their usual locations, attempted access to non-relevant critical data, failed authentication logs, alerts on DLP or Network Anomaly security technologies are crucial indicators of insider threat.
Suspicious social media posts: Social media posts that mention planning to leak or steal company information may indicate disgruntled employees or threat actors who are prepared to target the organization.
Sensitive data offered on dark web marketplaces: If sensitive data belonging to an organization is stolen by an employee or accidentally exposed due to negligence or carelessness, it will likely be sold on the dark web. Therefore, detecting sensitive data being offered for sale on dark web marketplaces may indicate insider threats.
Company-related information on dark web forums: An underground forum that contains information accessible to particular individuals within a company is a serious sign that someone within the company may have leaked the information and/or someone has fallen victim to a cyber attack like phishing. In either case, the fact that company-related information appears on a dark web forum can be a strong indicator of insider threats.
Recruitment post for insiders on the dark web: Cyber criminals seek to exploit insiders for their profit. So, many threat actors post recruitment calls for insiders. The attackers may offer payment or other rewards to entice insiders to cooperate with their purpose.
The post may also be for a specific industry or organization. Also, the post might include precise information about the insiders the attackers are looking for, like a system administrator or someone with access to the financial system.
There are also posts on the other side of the coin, such as insiders looking for threat actors to collaborate with.
Insider threats are a complex and challenging issue in cybersecurity that can have severe consequences for an organization’s reputation, customer trust, and financial stability and may even lead to legal sanctions. While insider threats are not new, the increasing reliance on technology and the rise of remote work have made all types of insider threats, whether malicious or accidental, well-planned or opportunistic, more difficult to detect.
Therefore, organizations need to be aware of the different types of insider threats and understand their motivation. Also, organizations need to develop a comprehensive insider threat program that includes a combination of technical controls, policies and procedures, and employee training. In this context;
- Establishing the least privilege approach, which means giving employees access only to the resources they need to do their jobs,
- Training users for awareness of data security and reaching the level of knowledge to identify suspicious activities,
- Setting policies for topics such as email and personal device usage and encouraging them with deterrent sanctions,
- Using background checks, onboarding, and offboarding checklists that enable organizations to systematically manage their workforce and minimize the risk of issues such as fraud, data breaches, or legal liability,
- Using authentication protocols,
- Establishing protocols to ensure that suppliers and contractors are regularly reviewed for compliance with security policies and industry standards will help organizations against insider threats.
Additionally, by adopting a proactive approach like Extended Threat Intelligence solutions to insider threat management, organizations can detect and respond to potential threats before they can cause significant damage.
SOCRadar Extended Threat Intelligence can provide valuable insights into insider threat activity by monitoring 7/24 surface and dark web and enable organizations to stay ahead of potential threats.